/** default port for DNS traffic. */
#define UNBOUND_DNS_PORT 53
+/** default port for unbound control traffic, registered port with IANA,
+ ub-dns-control 8953/tcp unbound dns nameserver control */
+#define UNBOUND_CONTROL_PORT 8953
+/** the version of unbound-control that this software implements */
+#define UNBOUND_CONTROL_VERSION 1
+
/** default port for DNS traffic. */
#define UNBOUND_DNS_PORT 53
+/** default port for unbound control traffic, registered port with IANA,
+ ub-dns-control 8953/tcp unbound dns nameserver control */
+#define UNBOUND_CONTROL_PORT 8953
+/** the version of unbound-control that this software implements */
+#define UNBOUND_CONTROL_VERSION 1
+
])
AC_CONFIG_FILES([Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8])
handle_req(struct daemon_remote* rc, struct rc_state* s, SSL* ssl)
{
int r;
- char magic[5];
+ char pre[10];
+ char magic[7];
char buf[1024];
#ifdef USE_WINSOCK
/* makes it possible to set the socket blocking again. */
#endif
fd_set_block(s->c->fd);
- /* try to read magic UBCT string */
+ /* try to read magic UBCT[version]_space_ string */
ERR_clear_error();
if((r=SSL_read(ssl, magic, (int)sizeof(magic)-1)) <= 0) {
if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN)
log_crypto_err("could not SSL_read");
return;
}
- magic[4] = 0;
- if( r != 4 || strcmp(magic, "UBCT") != 0) {
+ magic[6] = 0;
+ if( r != 6 || strncmp(magic, "UBCT", 4) != 0) {
verbose(VERB_QUERY, "control connection has bad magic string");
+ /* probably wrong tool connected, ignore it completely */
return;
}
if(!ssl_read_line(ssl, buf, sizeof(buf))) {
return;
}
+ snprintf(pre, sizeof(pre), "UBCT%d ", UNBOUND_CONTROL_VERSION);
+ if(strcmp(magic, pre) != 0) {
+ verbose(VERB_QUERY, "control connection had bad "
+ "version %s, cmd: %s", magic, buf);
+ ssl_printf(ssl, "error version mismatch\n");
+ return;
+ }
verbose(VERB_DETAIL, "control cmd: %s", buf);
/* figure out what to do */
+10 June 2011: Wouter
+ - unbound-control has version number in the header,
+ UBCT[version]_space_ is the header sent by the client now.
+ - Unbound control port number is registered with IANA:
+ ub-dns-control 8953/tcp unbound dns nameserver control
+ This is the new default for the control-port config setting.
+
30 May 2011: Wouter
- Fix Makefile for U in environment, since wrong U is more common than
deansification necessity.
Specification for the unbound-control protocol.
-Server listens on 953 TCP (localhost by default). Client connects,
+Server listens on 8953 TCP (localhost by default). Client connects,
SSLv3 or TLSv1 connection setup (server selfsigned certificate,
client has cert signed by server certificate).
+Port 8953 is registered with IANA as:
+ub-dns-control 8953/tcp unbound dns nameserver control
+# Wouter Wijngaards <wouter&nlnetlabs.nl> 10 May 2011
+On may 11 2011, ticket [IANA #442315].
+
Query and Response
------------------
Client sends
- UBCT [commandline] \n
- fixed string UBCT, then an ascii text line, with a command,
- some whitespace allowed. Line ends with '\n'.
+ UBCT[version] [commandline] \n
+ fixed string UBCT1 (for version 1), then an ascii text line,
+ with a command, some whitespace allowed. Line ends with '\n'.
Server executes command. And sends reply in ascii text over channel,
closes the channel when done.
# control-interface: ::1
# port number for remote control operations.
- # control-port: 953
+ # control-port: 8953
# unbound server key file.
# server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key"
Use 0.0.0.0 and ::0 to listen to all interfaces.
.TP 5
.B control\-port: <port number>
-The port number to listen on for control commands, default is 953
+The port number to listen on for control commands, default is 8953
(that is the same port number named uses to listen to rndc).
If you change this port number, and permissions have been dropped, a
reload is not sufficient to open the port again, you must then restart.
static int
go_cmd(SSL* ssl, int argc, char* argv[])
{
- const char* pre="UBCT";
+ char pre[10];
const char* space=" ";
const char* newline="\n";
int was_error = 0, first_line = 1;
int r, i;
char buf[1024];
+ snprintf(pre, sizeof(pre), "UBCT%d ", UNBOUND_CONTROL_VERSION);
if(SSL_write(ssl, pre, (int)strlen(pre)) <= 0)
ssl_err("could not SSL_write");
for(i=0; i<argc; i++) {
cfg->python_script = NULL;
cfg->remote_control_enable = 0;
cfg->control_ifs = NULL;
- cfg->control_port = 953;
+ cfg->control_port = UNBOUND_CONTROL_PORT;
if(!(cfg->server_key_file = strdup(RUN_DIR"/unbound_server.key")))
goto error_exit;
if(!(cfg->server_cert_file = strdup(RUN_DIR"/unbound_server.pem")))
projects / thirdparty / unbound.git / commitdiff
